前瞻性雲端安全儲存、防護、行為分析與觀測平台---子計畫三：基於Xen Hypervisor之即時雲端環境入侵偵測與反制(I)

Abstract

雲端運算旨在統合IT資源並藉由網際網路來將IT資源以服務的型態呈現。目前雲端運算的範疇包括：軟體服務（SaaS）、平台服務（PaaS）、基礎架構服務（IaaS）這三種。所謂的基礎架構服務是藉由網際網路提供虛擬機器、虛擬網路供客戶來架構他們的電腦系統。IaaS是目前多數人認為在雲端運算領域中台灣應首要發展的方向。背後的原因包括IaaS Cloud最貼近底層硬體。而台灣在硬體上有其固有的基礎與優勢存在。再者基礎資訊建設攸關國家安全。我們顯然不能將政府機關的資料或系統交給國外的IaaS服務廠商來管理。 以IaaS雲來說，虛擬化是其中一項關鍵的核心技術。目前市場上的兩大領導者Amazon EC2以及Rackspace均是採用Xen Hypervisor作為其虛擬化的解決方案。Xen的一大好處在於開源且免費。再者由Amazon EC2以及Rackspace等成功案例，亦可看出Xen已具有一定程度的穩定性與成熟度。 本研究的主要目的在於開發可確保IaaS雲端環境安全的相關資安科技。傳統上，我們仰賴入侵偵測系統（IDS）與入侵防護及反制系統（IPS）來保護我們的資訊基礎建設。然而當我們把基礎建設虛擬化、雲端化以後，傳統的IDS/IPS架構也就需要再重新檢討。比如說當一個使用者透過EC2雲取得了一群虛擬機器及配置虛擬網路後，一個疑惑是他是否有需要、有可能去安裝硬體形式的NIDS，比如說Juniper IDP？另一方面，這位使用者可能也會好奇是否有需要在各台虛擬機器上面均安裝HIPS（Host-based IPS）。顯然採用IaaS Cloud背後的一大原因是為了節省成本。如果雲端化後在資安上面的花費仍舊跟傳統自設機房所需的花費一樣，那麼雲端似乎也就不是真的那麼有吸引力。 透過本研究，我們將探討傳統IDS/IPS在IaaS雲端環境中的角色與定位。我們計畫透過延伸Xen Hypervisor的功能來促成IaaS雲端環境中更加直覺、更加合理的IDS/IPS解決方案。在本計畫的最後階段，我們會基於我們所開發的科技來建置雲端化環境中的原型IDS/IPS系統以驗證我們整體的系統設計以及系統的性能。本研究不但能為台灣在IaaS雲端科技上整體的研發提供一份心力。所開發出來的雲端IDS/IPS技術，亦能提供我們資安廠商一些新的看法，以及可能用於其產品上的一些技術創新。

Cloud computing aims at consolidating and providing IT services over the Internet. There are three types of cloud computing nowadays: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). IaaS cloud computing offers a pool of virtual machines, on which IT systems can be built on. IaaS is widely considered as the primary target in cloud computing for Taiwan because among all three types of cloud computing, IaaS is most closely related to underlying machine hardware, and Taiwan is a major supplier of computer hardware. Also, from the perspective of national security, no country can depend on infrastructures administrated or owned by another country. Consequently, Taiwan by all means has to have access to its own IaaS clouds and the technologies in behind. To power an IaaS cloud, one of the key technologies is virtualization. For example, both Amazon EC2 and Rackspace have been using Xen Hypervisor to create virtual machines as the foundation for their IaaS clouds. Xen is open source and freely available. Most importantly it is a proven technology as evidenced by the success of both Amazon EC2 and Rackspace. The goal of this research is to develop technologies that can ensure the security of an IaaS cloud. Traditionally, we rely heavily on deploying intrusion detection systems (IDS) and intrusion prevention systems (IPS) to protect our infrastructure. However, when the infrastructure is being virtualized and cloud-ized, the architecture of traditional IDS and IPS will need to be adjusted accordingly. For instance, a customer of Amazon EC2 is given a bunch of virtual machines, among which he can setup a virtual network. Traditional NIDS (network-based IDS) box such as Juniper IDP no longer applies in a virtual network, at least, from the customer’s point of view of system deployment. On the other hand, a customer may raise doubt on whether he should deploy HIPS (host-based IPS) on each of the allotted virtual machines. The very reason why a customer would resort to IaaS cloud instead of physical infrastructure is cost-saving, and the need for the same amount of investment in security technologies such as HIPS would undermine the goal for cost-saving. Through this research, we will carefully study the roles of IDS and IPS in IaaS cloud computing environment. We will extend Xen Hypervisor to include the necessary functionalities for building IDS/IPS solutions on IaaS cloud. In the end, prototype IDS/IPS systems will be built to validate the overall system design. The research not only helps Taiwan to engage on the development of IaaS cloud technologies but can also benefit our security software companies such as TrendMicro by providing them insights into the challenges and solutions for IDS/IPS products in cloud computing environment.